Skip to content

T1114.001 Local Email Collection

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.1 IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.2

Item Value
ID T1114.001
Sub-techniques T1114.001, T1114.002, T1114.003
Tactics TA0009
Platforms Windows
Permissions required User
Version 1.0
Created 19 February 2020
Last Modified 24 March 2020

Procedure Examples

ID Name Description
G0006 APT1 APT1 uses two utilities, GETMAIL and MAPIGET, to steal email. GETMAIL extracts emails from archived Outlook .pst files.15
S0030 Carbanak Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.12
G0114 Chimera Chimera has harvested data from victim’s e-mail including through execution of wmic /node: process call create “cmd /c copy c:\Users\\\backup.pst c:\windows\temp\backup.pst” copy “i:\\\My Documents\.pst”
copy.17
S0050 CosmicDuke CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.13
S0115 Crimson Crimson contains a command to collect and exfiltrate emails from Outlook.14
S0367 Emotet Emotet has been observed leveraging a module that scrapes email data from Outlook.9
S0363 Empire Empire has the ability to collect emails on a target system.4
S0526 KGH_SPY KGH_SPY can harvest data from mail clients.11
G0059 Magic Hound Magic Hound has collected .PST archives.16
S0594 Out1 Out1 can parse e-mails on a target machine.3
S0192 Pupy Pupy can interact with a victim’s Outlook session and look through folders and emails.5
S0650 QakBot QakBot can target and steal locally stored emails to support thread hijacking phishing campaigns.6
678
S0226 Smoke Loader Smoke Loader searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.).10

Mitigations

ID Mitigation Description
M1041 Encrypt Sensitive Information Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Access

References

  1. N. O’Bryan. (2018, May 30). Managing Outlook Cached Mode and OST File Sizes. Retrieved February 19, 2020. 

  2. Microsoft. (n.d.). Introduction to Outlook Data Files (.pst and .ost). Retrieved February 19, 2020. 

  3. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  4. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. 

  5. Nicolas Verdier. (n.d.). Retrieved January 29, 2018. 

  6. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  7. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  8. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  9. CIS. (2018, December 12). MS-ISAC Security Primer- Emotet. Retrieved March 25, 2019. 

  10. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. 

  11. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  12. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. 

  13. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. 

  14. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  15. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  16. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. 

  17. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. 

Back to top